CVE-2008-0506

Coppermine Photo Gallery < 1.4.14 - Remote Code Execution via ImageMagick Picture Processing Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2008-0506. PoCs published by Metasploit, waraxe, Janek Vind, jduck, including Metasploit module exploits/unix/webapp/coppermine_piceditor.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Coppermine Photo Gallery's picEditor.php script when ImageMagick is used. The 'angle' parameter is manipulated to execute arbitrary commands via improper escaping in the 'exec' call.

Description

include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) quality, (2) angle, or (3) clipval parameter to picEditor.php.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/16909

This Metasploit module exploits a command injection vulnerability in Coppermine Photo Gallery's picEditor.php script when ImageMagick is used. The 'angle' parameter is manipulated to execute arbitrary commands via improper escaping in the 'exec' call.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Coppermine Photo Gallery <= 1.4.14
No auth needed
Prerequisites: ImageMagick library configured in Coppermine · Access to picEditor.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by waraxe · textwebappsphp
https://www.exploit-db.com/exploits/5019

The exploit demonstrates a remote shell command execution vulnerability in Coppermine Photo Gallery 1.4.14 due to unsanitized user input in the 'angle' POST parameter, allowing arbitrary command execution via ImageMagick's 'convert' command. The PoC includes a crafted HTML form to trigger the vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Coppermine Photo Gallery 1.4.14
No auth needed
Prerequisites: ImageMagick must be configured as the image processing method · The 'include' directory must be writable by the web server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Janek Vind, jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/coppermine_piceditor.rb

This Metasploit module exploits a command injection vulnerability in Coppermine Photo Gallery's picEditor.php script. The vulnerability arises from improper escaping of user-supplied input in the 'angle' parameter, which is passed to the PHP 'exec' function when ImageMagick is configured.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Coppermine Photo Gallery versions 1.4.14 and earlier
No auth needed
Prerequisites: ImageMagick library configured in Coppermine · Access to the picEditor.php script
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Various Sources x_refsource_misc
http://www.waraxe.us/advisory-65.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0367
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/27512
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28682
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/487310/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1019286
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5019

Scores

EPSS 0.5890
EPSS Percentile 99.0%

Details

CWE
CWE-20
Status published
Products (1)
coppermine/coppermine_photo_gallery < 1.4.14
Published Jan 31, 2008
Tracked Since Feb 18, 2026